CVE-2025-10891: How Edge Patch Fixes the Chromium Vulnerability

Short answer

• Microsoft documents CVE-2025-10891 in its Security Update Guide because the vulnerability is in Chromium (the open‑source engine) that Microsoft Edge (Chromium‑based) consumes — the entry tells customers “this issue existed in Chromium and has been addressed in the Edge builds that include the Chromium fix,” i.e., it announces that Edge builds containing the Chromium patch are no longer vulnerable.
• To check whether your browser is patched, open the browser’s About page; that page shows the exact product version and will trigger an update check (Edge: About Microsoft Edge / edge://settings/help; Chrome: About Google Chrome / chrome://settings/help). If the version installed is at or above the patched version (Chrome/Chromium fixed in 140.0.7339.207 according to public CVE notes), you’re not vulnerable to this particular Chromium V8 integer‑overflow.

Longer explanation and step‑by‑step checks
1) Why the Chrome/Chromium CVE appears in Microsoft’s Security Update Guide

• Many Microsoft products (notably Microsoft Edge (the Chromium‑based client) and WebView2) include or are built on Chromium open‑source components. When a security issue is reported against Chromium (for example, a V8 integer‑overflow), Microsoft tracks that CVE in its Security Update Guide to: (a) document the issue, and (b) show whether/when the Microsoft product that consumes that OSS is still vulnerable or has been updated to include the upstream fix. In short: the CVE is “in Chromium OSS,” Edge uses that OSS, so Microsoft lists the CVE to tell Edge customers the status.

2) What the public CVE details say about CVE‑2025‑10891

• Public vulnerability pages summarize the bug: integer overflow in V8 (Chromium’s JavaScript engine) that could lead to heap corruption/remote code execution; Chromium/Chrome builds prior to the patched release are affected. The Chromium/Chrome fixed‑version listed in multiple public trackers for this CVE is 140.0.7339.207 (so Chrome/Chromium builds earlier than that release are the ones recorded as vulnerable).

3) How to see the browser version (quick, exact steps)

• Microsoft Edge (desktop)
  1. Open Microsoft Edge.
  2. Click the three dots menu (Settings and more) at the top‑right.
  3. Choose Help and feedback → About Microsoft Edge.
  4. The About page displays the current version and will automatically check for updates; if an update is available you’ll see a Download / Update option and a Restart button when the update is ready. (You can also go directly to edge://settings/help.)
• Google Chrome (desktop)
  1. Open Chrome.
  2. Click the three dots menu at the top‑right.
  3. Choose Help → About Google Chrome.
  4. The About page shows the exact version and triggers Chrome to check for and install updates (or go to chrome://settings/help).

(If you want an immediate, machine‑readable readout on desktop, type edge://version or chrome://version into the address bar — those pages show the full build/version string.)
4) How to interpret the version number for this CVE

• The Chromium/Chrome patch level for CVE‑2025‑10891 is reported as 140.0.7339.207 (that means Chrome/Chromium builds earlier than 140.0.7339.207 are the ones listed as vulnerable). If your Edge version number shows a major/minor build equivalent that Microsoft lists as incorporating Chromium 140.0.7339.207 or later, the Edge build has the upstream patch. Use the About page results to compare your installed version to the patched build.

5) Recommended actions

• Immediate: open About Microsoft Edge (edge://settings/help) or About Google Chrome (chrome://settings/help). If an update is available, install it and restart the browser. The About page both shows your exact version and triggers the update process.
• If your device is managed by your organization (IT), updates may be controlled centrally; contact your IT admin to confirm when the Edge/Chrome build with the Chromium fix will be deployed. Microsoft’s update settings doc explains that managed environments can affect update toggles and behavior.
• After updating, verify the About/About → version number; if it is at or above the patched build reported in the CVE (see public trackers), the specific CVE is considered addressed in your browser.

6) Extra notes / context

• Microsoft’s Security Update Guide documents CVEs reported by industry partners (Chromium/Google, etc.) when those CVEs affect components that Microsoft ships (Edge, WebView2). The purpose is informational and to communicate the patched/unpatched state of Microsoft’s products, even if the original fix came from upstream (Chromium). This is why you’ll see Chromium CVEs listed in the Security Update Guide.
• Public CVE pages and security trackers (CVE indexes, Chrome release posts, vulnerability databases) are useful to confirm the patched Chromium/Chrome build number for a CVE; cross‑reference with the browser’s About page to confirm whether your installed build includes that fix.

If you want, I can:

• Walk you through checking your installed Edge/Chrome version step‑by‑step (screen‑by‑screen) for your OS (Windows, macOS, Linux), or
• Look up the exact Microsoft Edge Stable/Extended build that corresponds to Chromium 140.0.7339.207 (so you can confirm the exact Edge build number to look for), and the date Microsoft released that Edge build — tell me which OS/channel (Stable / Extended / Beta / Dev / Canary) you use and I’ll fetch the precise mapping and release notes.

---

Source: MSRC Security Update Guide - Microsoft Security Response Center